Discourse 2.0.0.beta4 Release Notes

New features in 2.0.0.beta4

Two Factor Authentication via TOTP

Thanks to community contributor @awole20 we now support Two Factor Authentication on Discourse!

Two Factor Authentication can be enabled from a user’s preferences page.

After verifying their password a user is prompted to scan the QR code via a supported app on their mobile device.

After enabling Two Factor Authentication all existing login sessions are invalidated (you’ll need to log into all browsers again). After entering a username and password you’ll be prompted for the current authentication code in the app.

Important Note: Two Factor Authentication only works with local logins. You cannot use social logins when Two Factor Authentication is enabled, and Two Factor Authentication cannot be activated if a site uses SSO.

Add group name to PM email subject

Thanks to community contributor @LeoMcA you can now choose to display the group name in the email subject from group PMs instead of simply displaying [PM]. This is controlled via the site setting group in subject (default off).

Additional allowed file types for staff

Previously staff users were restricted to uploaded the same file types as normal users. Admins can now allow additional file types for staff users only via the authorized extensions for staff site setting.

Search in title

Thanks to community contributor @jorge_manrubia and Discourse engineer @sam you can now scope search to topic title only. Searching in title in:title is not yet included in the advanced search UI, you must type it by hand. Please note that it may take time for a search reindex to complete after the update before this will work. See Search only within topic titles for more details.

Suppress category from latest

Previously categories had a setting suppress category from homepage that would hide a category from the site’s homepage, whatever that may be. However, this setting did not interact well with the user selectable Default Home Page preference. To avoid the unexpected interaction the category setting is now suppress_from_latest, and only hides topics in the given category from the latest view, regardless of if it’s the homepage. To continue hiding a category on the category page you can use CSS.

Allow staff to tag PMs

Staff can now add tags to PMs to assist with organization. Tags are visible to all staff and cannot be seen by normal users. PM tagging is still actively being improved, please provide feedback in Feedback on feature enabling staff to add tags to personal messages

New category page layout: Categories and Top

We’ve added a new desktop category page style, Categories and Top Topics. This is similar to the existing default Categories and Latest Topics, but displays Top topics in the right column instead of Latest.

Theme Settings

Thanks to community contributor @Osama theme developers can now include theme settings in their themes. This will allow theme users to easily customize themes to their needs, including modifying colors, URLs, and other theme data. See Add support for theme settings for more details. A proper #howto topic should be available soon.

Rake task for merging users

A new rake task to merge users accounts is now available. This task will merge most user data. There are a few known issues, including mentions and quotes not being updated. For more details and to leave feedback see https://meta.discourse.org/t/ability-to-merge-users/9220/89?u=jomaxro.

Improved Category/Tag Dropdowns

First released in Discourse 1.9.0.beta15, @joffreyjaffeux has continued to improve our select boxes and dropdowns. For 2.0.0.beta4, further improvements to the tag selector in the composer have been added.

Improved signature stripping

Many users who email into Discourse include email signatures in their posts. We’ve improved our detection of signatures to hide even more signatures by default, including signatures from Gmail, Outlook, Exchange, and more.

Asset rate limiter tweaks

CSS and avatars were being caught by the max reqs per ip, rate limit. To help mitigate this assets are now limited to 200 per 10 seconds instead of 50.

Edit: It should be noted that as of March 7, 2018 max reqs per ip, including the asset rate limiter are default disabled.

Security Updates

This beta includes 2 security fixes for issues reported by our community and HackerOne.

  • Sanitize topic title when staff is viewing a user’s past flagged posts and deleted topics
  • Ensure users have permission when moving categories

Even more!

But wait, there’s more! For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements

Staff Notes

  • Fix broken post link in subfolder installs
  • Improve staff notes icon layout on mobile


  • Fix link to solved post opening in new tab instead of jumping to post in topic

Data Explorer

  • Sort queries alphabetically


  • Unassign topic if all topic flags are handled
  • Live update for “assigned” personal messages

Additional Features and Fixes

Click to expand

New Features

  • Editing_grace_period_max_diff to force revisions in grace period
  • Live updates for user’s messages page.
  • Detect when client thinks user is logged on but is not
  • Limit assets less that non asset paths
  • We need access to settings in theme js
  • Whitelist data for themes
  • Disallow groups from being indexed
  • IP.Board 3 importer
  • Disallow login via omniauth when user has 2FA enabled.
  • Begone gmail signatures!
  • Show “edit message” button on message footer for staff
  • Trigger topic webhook when topic status is updated.
  • Use HTML instead of text for incoming emails by default
  • Add instrumentation for all external net calls
  • New site setting ‘max_emojis_in_title’

Bug Fixes

  • Correctly allow tag creation if this.site.get("can_create_tag")
  • loadBefore should include current params as well.
  • Publish live messages to both team inbox and archive on update.
  • User archiving message should also publish to sent section.
  • User archive messages should only publish to the user.
  • Missing messages incoming indicator for mobile.
  • Do not show read-only cursor on mini-tag-chooser
  • Email_domains_whitelist prevented creation of anonymous users
  • Consider live links in <code> as links when counting
  • Only unsubscribe channel if it was subscribed.
  • Incorrectly deleting channel preventing us from unsubscribing MB.
  • Typo prevented extraction of email signatures
  • Reset_db
  • Don’t lock wiki posts when they’re edited
  • Regression preventing the display of replying... in the composer
  • Do not treat :: as a valid emoji
  • Display keyboard on mobile when focusing mini-tag-chooser
  • Inviting a group that I am part of creates a notification.
  • Set first visit PM notification level to group default notification level.
  • Capital bbcode tags were broken
  • Make it possible to edit tags on topics on mobile
  • Makes sure we recompute shouldDisplayCreateRow after request
  • Disable “Make Personal Message” if they are disabled
  • Translate the hover text or emoji categories
  • Tag input in composer was not respecting tag group rules
  • In some instances expanding hamburger menu broke layout in iOS
  • ‘reply by email addresses’ site settings should allow email addresses without a ‘reply_key’ when ‘find related post with key’ is disabled
  • Do not allow invite notifications from muted user/topic
  • Makes sure [999500..999999] is correctly shown as 999k
  • Missing 2FA guards when sso is enabled or when local login is disabled.
  • Don’t lock a post on edit unless the raw changes
  • Sidekiq job has wrong data when post owner changes within transaction
  • Merging users shouldn’t add more than 1 secondary email
  • Allow changing post owner even when topic validations fail
  • Associated Instagram account was missing at some places
  • Emoji search was not finding aliases
  • Category drop header padding when using category box style
  • Improves positioning of select-kit body
  • Brewfile was out of date
  • RateLimiter max of zero or less should raise rate limit exceeded.
  • Incorrect rate limit applied to topics invitation flow.
  • Don’t include unlisted topic in groups/posts
  • Don’t show Other Tags on /tags if there aren’t any to show
  • Don’t allow other flag actions after notify_moderator has happened.
  • Stop double counting net calls in logs
  • Use 60 minutes, not 60 seconds for column dropper
  • Load tag_groups and not tags
  • Prevents create row to be displayed if term is in displayed list
  • Prevents selected value from hiding one item of the list
  • Allow changing post owner even when validations fail
  • Retry with GET request when HEAD fails with error 400
  • Mini-tag-chooser was not returning a correct list of tags
  • Auto re-opened topics should restore category auto close settings.
  • Header icon out of bounds in tag-drop on some browsers
  • Direct link to group activity page results in 400 error.
  • Missing translation.
  • Must be able to post in a topic in order to vote on a poll
  • Handle <pre> inside <blockquote> in html_to_markdown
  • Only likes should change the given daily likes
  • Anonymous users shouldn’t see the link to new in the footer
  • Local post onebox was always pointing to 1st post
  • Properly render emojis in local oneboxes
  • Missing translation for non-admin when editing a group.
  • Do not log personal message view if user can’t see the message
  • Don’t double request when downloading a file
  • SimplePress importer wasn’t handling increment imports properly
  • Update group user count when bulk adding users
  • Incorrect caching of theme keys
  • Preview theme not working consistently
  • 2FA prompt incorrectly displayed on admin login page.
  • Show names when available
  • Social login buttons were not working
  • Login buttons not working on sign up modal.
  • No error displayed when 2FA token is invalid on admin login page.
  • Allow customized usernames to work in this route
  • Error when deleting a tag associated with a deleted topic
  • Never open internal links in a new tab when user prefers opening external links in a new tab
  • Can_tag method called without guardian variable
  • Include deleted topics in the post serializer
  • Invalid token error incorrectly displayed on email login page.
  • Links in quotes should be counted for rate limits
  • Check for 2factor on change email controller
  • Email controller - only show second factor errors on attempt
  • Check against ‘true’ to enable second factor.
  • Use the avatar of the post rather than the topic in local oneboxes
  • Strip zero width spaces from topic title
  • Stylesheet::Manager.stylesheet_link_tag cache should account for Discourse.current_hostname.
  • Include title in local onebox when linking to a different topic
  • Admin was not able to unblock screened IP address
  • Cookies header didn’t have the right format
  • Do not show mail-forward icon if not needed
  • Ruby bench not working properly
  • Binding_of_caller not working on Ruby 2.5
  • Support old Service Worker source file path to avoid routing errors.
  • Data export should fill missing dates with zero value
  • Support incoming emails with just an attachment

UX Changes

  • Add title to user messages page.
  • Improvements for theme UI
  • Improving badge page layout
  • Display warning message about social logins disabled when 2FA is enabled.
  • Remove fast scroll which is leading to bugs
  • Hide social login buttons when requesting for 2FA token.
  • When a post is blocked due to a watched word, message includes the word being blocked
  • Incorrect width for webhook events. Take 2.
  • Incorrect width for webhook events.
  • Use ‘tel’ input type for 2FA token inputs.
  • Move ‘show words’ checkbox close to the words in the Watched Words UI
  • Specify pattern and maxlength for 2FA input fields.
  • Invited users should watch PM topic once topic has been visited.
  • Add reset password email button when confirming password before enabling 2FA.
  • Don’t show admin 2FA edit icon on profile of other users.
  • Improve indication of 2FA status in user’s preferences.
  • Don’t disable submit button before transitioning in 2FA flow.
  • Fix missing css styles on invite modal.
  • Add og metadata for groups.
  • Remove default focus styling from posts & topic list items
  • Make the .selected class follow focus
  • Use focus as the first selector for J/K navigation
  • Apply hover styling to post actions on focus
  • Smaller input field for preferences 2FA form.
  • Display lock icon in admin user lists when user has 2FA enabled.
  • Implementing a box-shadow system, cleaning up existing shadows
  • Improving header scalability for large font themes


  • Avoid fetching a bunch of ids in polls updater.
  • Remove N+1 queries on topic list page.
  • Fast docking of timeline so it does not overlap
  • Upgrade Oj gem